December 11th, 2012

The Hidden Costs of Open-Source Content Management Systems

Hidden Costs of Content Management Systems

The last post touched on open-source content management systems’ origins and a brief overview of the differences between available technologies. In this post, we will discuss the hidden costs of free open-source software.

Hidden costs… I thought it was free?

Open-source content management systems’ hidden costs begin with the “dark side” of the Internet: people trying to spam or to infect users with malware and viruses for their own selfish game.  This Star Wars quote pretty much sums it up:

“Again and again the dark side has surged forth, like a storm…devouring whole worlds and entire star systems. Those who mastered dark power became dark power. They unleashed destruction, for no other reason than for selfish gain.”

–Ood Bnar

The gain sought in this case is your private information. In order to obtain your info, they need a way to gain access to someone’s server or web site where this information is stored.  Web sites, compared to servers, are often much easier to hack.  And once someone gains access to a web site, they also gain access to site’s server.  Therefore, for hackers it makes the most sense to go after easily compromised web sites.

Why are web sites hacked?

Consider this scenario: if you were shopping in a run-down, shady-looking store with too-good-to-be-true prices on everything, would you really feel comfortable paying with a credit card? Probably not. Something about that place would just feel wrong enough for you to not make a purchase, or to do so using cash.

Now consider an online store with no cash option, a questionable look and a too-good-to-be-true offer to sell and ship you a brand new computer for $50.  All you have to do is fill out your information and enter your credit card number. You would notice the scam and go to an online store you trust.  Something this obvious is not an effective way for scammers to steal billing and credit card information.  They would spend all their time building new scam websites to trick people.

Scammers get around the trust-barrier by hijacking legitimate web sites with established trust. People don’t think twice about entering their information on a trusted web site; and, most of them probably already have an account with their credit card info to speed-up check out. The only thing standing between a potential thief and your customers is… you guessed it, your web site’s source code.

To perform their dark magic, all a hacker needs to do is sneak their way past your web site’s source code and find a way to run their own code on your server. If a hacker accesses your source code, they can control your web site and server. They can modify your code, redirect your users, ask your visitors to download a PDF containing a virus that will compromise their computer, advertise for knockoff drugs, or spam anyone they want. The worst part… if a hacker manages to pull it off, they get what they wanted and your web site will be the one taking blame.

Your Website, The Proverbial Vault

But don’t worry, your new web site has all kinds of built in security right? Logins, passwords, secure databases, SSL certificates, and all sorts of other measures are designed for the sole purpose of keeping those from the dark side out of your web site. These measures are a proverbial bank vault, securing everything that you and your customers hold dear.

You know that your new web site is secured and protected against intrusion… so why all the concern?  Remember the open part about open-source… yeah, the source-code for your website – essentially its blueprints – are all over the Internet for anyone to see. The benefit of open-source is that anyone can see the code, understand how it works, and modify it to do what they want. The downside of open-source is that anyone can see the code, understand how it works, and circumvent it to do what they want.

Don’t Fret – Just Update

Before you worry too much, let’s talk facts.  The teams of people who work on the open-source content management systems are constantly receiving, evaluating, and fixing reported security flaws, which could be or have already been exploited by the dark side.

So what’s the problem, then? The most secure versions of open-source content management systems are those that are the most up-to-date. Now, be honest with yourself here: do you install the updates each time you see a notification?  If you do so, well done. If you don’t, you’re missing out on the patches for security exploits existing in your open-source content management system and increasing the risk of your site being compromised.  Unfortunately, updating your CMS install is never as simple as just clicking a button.

Getting Your Virtual Oil Changed

Updating is part of the problem, but it is not the whole problem. Sometimes the community updating open-source content management systems has to change major functionalities to fix security flaws. When functions change, any plugin or addition to the software that took advantage of the changed function will also need to be updated in order to work properly. Therefore, updating your web site’s software is rarely as simple as clicking a single button.  Updating is a lengthy process of altering plugins and additions to match the new functionalities of the open-source content management systems’ updates.

My point is this: it doesn’t matter what we buy, everything comes with an inherent understanding that, at some point, it will break or need to be upgraded.  We buy TVs, cell phones, stereo systems, computers, radios, lamps, furniture, beds, and pretty much everything else in our life with the knowledge that we will replace it, fix it, or upgrade it at some point. It doesn’t matter if it’s a $30 Bluetooth headset, a $30,000 car, or a $300,000 house; we know there will be additional work, time, and/or money to maintain those things down the road.

The inner-workings of your website are not going to catastrophically seize like the pistons in your car will if you never change the oil.  However, if you neglect updates and other regular maintenance, your website’s performance will degrade over time or break down. Sure, after a break down experts can restore your site to its original glory.  But that costs more time, money and headache than it would to be proactive with updating and keeping things current.

100,000 miles and beyond

Leveraging an open-source framework can be the best way to get yourself a feature-rich website that does everything you need without going over budget. Remembering to only use well documented, supported and current open-source technology will allow you to make the most of open-source while keeping you, your developers, and your users safe and happy for the long haul.


Post A Comment